RAT My Demise

Discussion in 'Trojan Defence Suite' started by tutankamon, Mar 5, 2004.

Thread Status:
Not open for further replies.
  1. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hi all,
    I have a positive ID. Doing a "full system scan" I got a "Positive ID RAT: My Demise 1.0 Dropper Program Files / Enzip / enzip.sfx" I tried using `Go Back` and went back 2 days, did another scan with TDS3 it was still there.( it has never showed before when I have done scans with TDS3 (not full system scan) Norton System Works 2003 (fully updated) I have Wormguard installed, also Reg Protecter. Yesterday I noticed that my sygate firewall icon disappeared from the system tray, so I disconnected my cable modem. I then Installed Zone alarm Pro trial version, so that at least I had a firewall. So I have removed Enzip using the ADD / REMOVE in control panel. When I did a full system scan this morning it showed Positive ID in Norton recycled, see below, what is this trojan?
    what do I do now?
     

    Attached Files:

  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi tutankamon, Please send a zipped copy of enzip etc to submit@diamoncs.com.au ASAP - Whilst zipped they can do no harm.
    Download todays TDS update and run a full system scan with all scanning options enabled. If still there then use the submit menu item to send to DCS. Remember that TDS does scan inside of zipped folders.
    If you have sytem restore there may be a copy of the file in a restore point.
    Do another scan and if the thing shows again disable Sys restore. Reboot and then create a new system restore point and scan once again.

    HTH Pilli.
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Don't forget to send that password stealing thing too, please.

    There might be something started, so you might like to create and post a AutostartViewer log or HJT log if it still comes back after Pilli's advices.
    It could be something in the last database update too, of course detecting code which is not in an intended nasty (others call that false positives).
    For your own second opinion you might like to go as well to www.kaspersky.com/remoteviruschk.html and online check the files (you can zip them all together in one zip as long as the size is under 1mb) -- i use it rather often there myself!
     
  4. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hi Pilli,
    I cant send you acopy of ENZIP as I removed it using the ADD / REMOVE program in the control panel.
    The trojan is now located in the Norton recycled bin.
    Is it safe there? Should I empty the bin? can I zip, and send the file to you from the Norton recycled bin?
     
  5. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Maybe you should change your passwords as well.
    Dolf
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Not sure about Norton, maybe another poster may be able to help you there - Sorry :)
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    This was a false positive on a few self extractors due to the similarity of the dropper used by the trojan in question. It was quickly fixed up for todays update many hours ago, apologies for the scare (please do download and update your databases soon though to confirm a non detection)

    Edit: If your firewall disappeared hopefully only the GUI application CRASHED rather than being shut down. You should send an ASViewer log ASAP to gavin@diamondcs.com.au - do you use ProcessGuard ?
     
  8. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hi Gavin,
    No I do not use Process Guard as I am running on windows ME. I have emptied the Norton recycled bin, I have removed Enzip completely, I have installed Zone Alarm Pro (trial) I have cancelled my credit card, I have altered my password for my e mail, I have not had a nice day. I will now download the latest, latest update.
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I see that port.pkf.exe -- was this left after registering PE ? I only have a port.pkf there.

    Any reactions on the passwordstealer in the tools folder yet? You did send in that one too didn't you? Or is that part of the dropper story?

    The enzip is not clear to me in this story? Is that the name of the sygate firewall or do i miss something completely?

    Hope you get the credit card back soon, but might not be a bad idea to change them occasionallhy if you use them on internet. Somebody ever posted to have only little credit on them and after that use another one, and even using the giftcards we are spammed with on a daily basis with all kind of strange user names on them to avoid theft as much as possible. It surely seems to help.
     
  10. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    tutankamon - Your experience is precisely why someone shouldn't automatically go about un-installing programs or deleting files when they receive an alert off of a new database.

    It's the main reason I suggest having more than one anti-trojan program - so you can cross-check results before taking action. If you don't get a "positive detection" on both, it's a pretty good indication that you're dealing with a FP and should immediately contact the software maker with all the information involved - before you delete/un-install anything.

    I'm sorry you had a bad day because of a false positive (I know what that's like). Pete
     
  11. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hi Spy1,
    Thanks for the post. I had a few beers last night, a good nights sleep, and things dont look as bad today. I have downloaded Enzip (a freeware file zip/ / unzip program) and reinstalled it. My new credit card will be with me in a couple of days, so everything should be ok. What other trojan program do you suggest, as a back up to TDS3?
     
  12. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hi Jooske,
    The `password stealing thingy` was a demo program, and was not a threat. The double extention in Port Explorer is this not normal? if not, what should I do to correct it?
     
  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Tut,
    Not normal, the port.pkf should not have the .exe extention.
    Port.pkf in my PE folder is 6KB -
    It would be interesting to know what size your port.pkf.exe is and if you also have a port.pkf file in your PE folder :)
     
  14. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hi Pilli,
    It is easier to show than to explain.
     

    Attached Files:

    • PE.jpg
      PE.jpg
      File size:
      67.7 KB
      Views:
      668
  15. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    and
     

    Attached Files:

  16. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    and finaly
     

    Attached Files:

    • pkf.jpg
      pkf.jpg
      File size:
      76.7 KB
      Views:
      668
  17. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Please would you zip it up and send a copy to submit@diamondcs.com.au -

    I have attached an image of my folder for you to compare. Providing PE works properly when the file is zipped I believe that you could safely delete after sending a copy to DCS that is :)
     

    Attached Files:

  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Pilli, i guess --if you are talking about the port.pkf.exe in your last posting-- it is the self extracting keyfile for PE, so i don't see a real need to delete it, but no real need to keep it either, if you keep a copy of the keyfile and the registration email savely on a diskette or burned on a CD.


    Tut, no matter what the passdump.exe thing is, a demo or a tool whatever, TDS detected it as a positive so i do hope you did submit that one too so even if it would be innocent it enables Gavin to refine detection in the databases. Thanks a lot!
     
  19. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Jooske, I must admit I never had a port.pkf.exe file, only port.pkf, probably because as beta testers we received our keys as a .zip if I remember correctly :oops:

    Anyway at least we can see PE's main folder list for reference:)
     
  20. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hi Jooske,
    I have zipped the "leaktest demo" and submitted it. I will now move the "port pkf.exe" onto floppy then delete the original from the port explorer folder, correct?
     
  21. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Tut, That would be good, but all you only need to copy the port.pkf file to a floppy just in case you have to re-format your hard drive for any reason in the future.
    If you have any other DCS products you could also add their keyfiles. :)
     
  22. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    This is the one i mean i took from your own screenshot, the leaktest is known, no problem with that at all. I ask you all the time to please submit the passdump.exe file. even if there is nothing wrong with it, it helps the refining of the databases. submit@diamondcs.com.au
    Thanks.
     

    Attached Files:

  23. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I think you just need to rename port.pkf.exe back to port.pkf - it never WAS an exe file :) It comes as PORT.ZIP with port.pkf inside
     
  24. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Yes - that's even in the instructions that you receive when you get the keyfile, isn't it? (Re-naming it if it has a double-extension like that). Pete
     
  25. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hi Gavin,
    I have removed port pkf.exe, I already have a file port pkf. everything seems fine.
     
Thread Status:
Not open for further replies.